How to Start an IT Security Conversation in the Boardroom

The last few years have been a cyber-security nightmare with corporate data breaches dominating IT security conversations. As we settle into a new year — with cyber attacks expected to worsen — frustrated boards of directors are entering the fray.

Before high-profile breaches, security was an IT-centric discussion. This is partly because executives usually speak the language of dollars, cents and business metrics, while security professionals typically speak more technically. The result: a communication breakdown.

“I’ve seen CSOs give a 45-minute presentation to the board of directors about security, and five minutes into it, attendees are pulling out their phones, they’re doing something else, and the CSO has totally lost the audience because they weren’t speaking to them in their language,” says Eric Cole, senior fellow at the SANS Institute.

After a seemingly endless loop of headlines chronicling the plight of organizations like Sony that had enormous resources dedicated to security but were breached anyway, companies’ boards are sitting up and taking notice. They’re asking:

Can this happen to us?

How do we know someone hasn’t already compromised us and stolen our data to sell it or put it on display?

If we are breached, what steps should we take and how long will it take us to recover?

In its 2015 Global Megatrends in Cybersecurity study, which surveyed more than 1,000 global CIOs, CISOs and other IT leaders, the Ponemon Institute reported that 78 percent of respondents said their board of directors had not been briefed on their organization's cyber-security strategy in the past 12 months.

Companies’ boards need an accurate picture of the risks their organizations are facing, and security professionals have to find a way to give it to them in a language they understand.

In order to effectively communicate with the board about security, it’s imperative to consider the common misconceptions involved.

The Biggest Misconceptions Executives Have About IT Security

When you speak with the C-suite and board about IT security, you most likely encounter the following two common misconceptions:

1. Compliance Equals Security

Many executives believe that a compliant organization equals a secure organization. They may think, “If I’m aligned with the ISO framework and compliant with regulations like PCI, SOX and GLBA, I must be secure, right?” Unfortunately, it’s not that easy. Companies that have been breached are often seen as negligent, and the government steps in with more calls to regulate. The pressure to comply with policy-based frameworks increases, and companies use those frameworks to help fund and drive improvements in security. While this is good, it teaches executives to aspire to a low bar. Just as passing a health inspection doesn’t guarantee that a restaurant will serve good food, compliance doesn’t guarantee security. It is a minimum requirement, and is not enough to protect an organization from the strategies and tactics being used by hackers today. Target, Home Depot and others were compliant with regulatory standards at the time they were breached.

In Sony’s case, Pricewaterhouse Coopers (PwC) assessed the company’s security prior to its breach and reported that more than 100 devices were unmonitored by corporate security following an incomplete transition from a private security firm to an in-house team. According to PwC, any response to an intrusion would be “slow, fragmented and incomplete, if it would even happen at all.” Sony didn’t take fast enough measures to fix this problem, which made it easier to attack.

Additionally, the “bad guys”, whether they are nation states, cybercrime rings or malicious insiders, are professionalizing and building success in attacking companies. They have developed an entire ecosystem, organizing around the steps they go through to break in and steal data, and buying and selling services to one another. If the malicious actor that has targeted your organization doesn’t have the skills they need to breach your network, they can easily go out and buy them.

Educate the Board Now

You don’t want your first board-level conversation about security to happen after a breach. Boards and executives have a responsibility to protect the organization, and are therefore the most important entity to educate about IT security and champion your company’s strategy. While they are acknowledging the increasing pressure and scrutiny around security, it will be hard to get full buy-in unless they fully understand it's not just a technical issue—it’s a business issue.

Here are five keys to getting buy-in for IT security:

1. Start with the CEO

An unknown person—such as an IT consultant—can’t sit in front of your board and make a case for IT security. The board won’t listen unless your chief executive officer (CEO) gets the message first and becomes a champion for the cause.

You should start a grassroots campaign to get your CEO’s attention. To do this, link risk and security to corporate performance. CEOs don’t want to hear about the widget-of-the-day or what they need to buy to fix a problem. They want to know how IT security has a direct impact on their business challenges and strategies. Talk to them about how an IT security strategy aligns with their business goals. The more you tie IT security to the business, the more likely it is that the CEO will take the conversation to the board.

2. Show the board how they are putting the company—and themselves—at risk

Board members are asking about threats. You have the opportunity to raise awareness by personalizing risks for them, showing them how vulnerabilities can extend beyond the organization to affect them as individuals. Ask questions like:

Does your mobile device contain both personal and corporate data?

Are you using a single mobile device to access data from multiple organizations?

Are you taking that device into high-risk areas when you travel?

If the answer is yes, then it is easy to illustrate how board members could be putting not justyour organization’s sensitive information, but that of other organizations and their own personal data at risk. Detail mobile security threats and current trends in the scope and cost of data breaches, including companies that go out of business after a breach. Include the impact on individual customers, partners and employees; nothing gets people’s attention faster than telling them their livelihood could be affected.

3. Formalize your security program and measure its maturity

The board needs to understand the scope and components of a comprehensive security program, so they can allocate sufficient resources. Establishing a repeatable, measurable program helps to develop business relevance. A plan-build-run model is a useful way for executives to view the functions of an IT security program:

Plan: a security program needs to be based on a business plan—including objectives, projects, performance metrics and budgetary requirements—that aligns with the organization’s overall strategic planning process. Costs should be justified in terms of business benefit and risk mitigation.

Build: IT security build focuses on policy and standards frameworks, the processes being put in place, the solutions being purchased, and the metrics that will be used to assess risk and security.

Run: The run phase focuses on the operating elements of the program including incident management, operations, implementation and monitoring.

The program can be measured with a maturity scale that provides insight into security gaps and opportunities. Maturity is a topic that non-technical executive decision makers can easily understand. As the program progresses, the maturity scale can help board members measure the value security is bringing to the business, gain insight into the organization’s risks, and understand how security has improved over time.

4. Help the board make informed decisions by mapping key risk indicators to key performance indicators

Demonstrate how improperly managed risk can lead to poor business performance. For example, the organization may have a key risk indicator (KRI) that monitors patching levels on systems that host supply chain applications, and a key performance indicator (KPI) that measures the operation of the supply chain. If poor patching levels are discovered, that indicates that the supply chain could be adversely affected, which would negatively impact the supply chain KPI and lead to lost revenue.

Framing the IT security conversation in this way helps to empower board members to make intelligent decisions, and target investments in security to solutions that will make the most impact. They may want to know:

Your current IT security state

The risks of not taking action

What types of actions they can take to minimize their risks

The costs of taking these actions

After you present this information, ask the board what they want to do. If the cost of acting outweighs the risk, they may choose to accept the risk.

5. Build a third-party risk program

You may have good IT security policies and practices, but your partners may not. How can the board be sure your external partners aren’t putting you at risk?

Many companies fail to incorporate IT security requirements into their contracts with vendors and business partners, and do not require risk assessments of vendors with access to their networks.

Third-party vendor management is important for avoiding incidents like the Target breach, which was traced back to the stolen credentials of an HVAC contractor. According to a March 2014 report from the Senate Committee on Commerce, Science, and Transportation, “The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.” Cyber attackers frequently use smaller, less protected providers to compromise the networks of larger companies.

You may want to assess your partners’ security with a questionnaire, and grade them. If they don’t get a passing grade, consider auditing them or conducting a site visit. The information gained from third-party risk assessments can be factored into your maturity scale.

Your legal team can also structure contracts to account for your IT security. What do your partners need to do if they have a breach on their end? Should they inform you of the breach? Revisit your contracts on a regular basis to ensure your partners are secure.

Communication is Critical

“The single biggest problem in communication is the illusion that it has taken place.” – George Bernard Shaw

Making security a board-level priority is critical in the effort to safeguard data, contain breaches and minimize damage in an atmosphere of escalating cyber attacks. Executives are not going to learn technology; unless you have a board member who knows security or a security officer who can report directly to the executive team, you need to convert technology into business language and present it in a meaningful way. Communication is more than giving out information—it’s getting through to your audience. With effective communication, you can get past commonly held misconceptions and link IT security to the business value it provides, so that executives have the insight they need to make the right decisions about your company’s security.